BHI: The Newest Spectre Vulnerability Affecting Intel & Arm CPUs
BHI is short for Branch History Injection and when first discovered was coined as Spectre-BHB by the researchers. A proof-of-concept exploit exists for leaking arbitrary kernel memory on modern Intel CPUs with BHI. Arm CPUs are also affected while AMD CPUs are not believed to be affected. Roughly speaking, Intel CPUs vulnerable to Spectre Variant Two are also believed to be impacted by BHI. Intel will be releasing software mitigations for BHI shortly -- presumably as soon as now with the embargo lifting this minute.
BHI is an extension of Spectre V2 that leverages the global history to re-introduce the exploitation of cross-privilege BTI. BHI allows exploiting systems that already have new in-hardware mitigations such as Intel eIBRS and Arm CSV2. As for whether the eBIRS and CSV2 mitigations are considered "broken", the researchers note that the mitigations work as intended but the residual attach surface is "much more significant than the vendors originally assumed."
BHI is the newest Spectre class vulnerability to go public and does affect modern Intel and Arm processors.
Neoverse N2 / N1 / V1 back through the likes of Cortex A15 / A57 / A72 and others are affected by this new vulnerability. Arm is releasing five different mitigations depending upon the SoC.
Besides needing software mitigations for affected Intel and Arm CPUs, the security researchers recommend disabling unprivileged eBPF support as an additional precaution.
The BHI proof of concept from VUSec is used to leak root entry data from /etc/shadow.
BHI is being tracked as CVE-2022-0001 and CVE-2022-0002 on the Intel side and Arm is using CVE-2022-23960.
More details on BHI can be found via the information to be posted on the VUSec site. A paper on BHI will be presented at the USENIX Security conference.
Update (13:10 EST): Intel has posted a list of affected CPUs confirming up through Alder Lake is indeed affected as well as Ice Lake servers.
Update 2: Linux Lands Mitigations For Spectre-BHB / BHI On Intel & Arm, Plus An AMD Change Too
Update 3: Intel has now provided us with this statement on BHI: "The attack, as demonstrated by researchers, was previously mitigated by default in most Linux distributions. The Linux community has implemented Intel's recommendations starting in Linux kernel version 5.16 and is in the process of backporting the mitigation to earlier versions of the Linux kernel. Intel released technical papers describing further mitigation options for those using non-default configurations and why the LFENCE; JMP mitigation is not sufficient in all cases."